Thursday, October 17, 2013

Forcese on legality of CSE's operations

University of Ottawa law professor Craig Forcese has written a fascinating and highly useful explanation of some of the legal issues pertaining to CSE's foreign-intelligence operations and use of metadata ("A Tale of Two Controversies: Thoughts on CSEC’s Headline Act(s)," National Security Law blog, 16 October 2013):

Over the last half year, Canada’s once largely unknown signals intelligence agency has twice become a veritable media blockbuster. In both instance instances, this notoriety arises as a collateral consequence of the Snowden datadump on US signals intelligence and intercept practices.

Last summer, the Globe and Mail focused on CSEC’s metadata intercept practices, during a time in which the US National Security Agency’s equivalent conduct was under the microscope. More recently, documents obtained directly from Snowden seem to disclose covert surveillance of some sort by CSEC on the Brazilian ministry of mines, perhaps undertaken as part of the “five eyes” signals intelligence alliance between Canada, the United States, the United Kingdom, Australia and New Zealand.

In this brief talk, I wish to briefly identify several legal issues these two controversies raise. ...

It's worth your time to read the entire article, which is brief even by the standards of normal people, let alone those of lawyers.

Some comments/questions:

As Forcese points out, the Brazil operation was fundamentally a foreign intelligence operation, and he provides an interesting introduction to the legal environment pertaining to such foreign intelligence-gathering.

But I have to quibble a little with his characterization of the Brazil case as one with no "domestic nexus". As I pointed out here, some of the communications analyzed by CSE had one end in Canada and thus did involve Canadians or persons in Canada. These communications were therefore "private communications" under Canadian law. We do not know whether these "private communications" were actually intercepted or only their metadata was examined. If their content was also examined, presumably CSE relied on one or more of the Ministerial Authorizations that govern the monitoring of various forms of communication to render this activity legal.

Still, I can see the value of restricting the Brazil discussion to the laws pertaining to foreign intelligence and reserving the discussion of "private communications" for the second section of the piece, in which Forcese addresses the issues related to domestic metadata and domestic communications.

Having reviewed heavily redacted documents obtained from CSEC and other government agencies on CSEC metadata collection, it would appear (although one can’t be certain) that CSEC has not sought or received ministerial authorization in relation to metadata collection. Instead, it collects pursuant to a ministerial directive and internal policy.

I think this is correct. As the CSE Commissioner reported here (PDF p. 9), “Metadata is not [one line redacted] a private communication as defined in the Criminal Code. CSEC does not require a ministerial authorization to conduct metadata activities [2-3 words redacted] because these activities do not involve private communications.” The redactions in these statements make it impossible to be certain that this interpretation is absolute and uncontested (the redacted portions might outline exceptions or record dissenting views), but the gist of CSE's overall approach to metadata seems clear.

Forcese:

If this is so, this must mean that CSEC and its Justice lawyer advisors are confident that metadata collection does not implicate incidental collection of private communication. My suspicion, reading between the heavily redacted lines in these documents, is that this view in turn reflects an understanding of metadata as something other than “communications”.

Private communication, under the Criminal Code, is any oral communication or any telecommunication. The government legal theory must be, therefore, that metadata – data about data – is neither an oral communication nor a telecommunication. This theory depends, on other words, on an interpretation of the Act that limits its reach to content and not the superstructure around that content (e.g., who was called, when from what location and number, for how long etc.), even if that superstructure is, in turn, quite informative. This may be a plausible legal hypothesis, but one upon which much turns: unauthorized intercept of private communication is a crime.

I have a couple of questions in this regard that perhaps Professor Forcese can answer for the legal ignoramuses (ignorami?) such as myself out here in the general public.

The metadata associated with communications are not random numbers transmitted for no reason. They are in fact communications between telecommunications companies/providers or separate offices of the same company transmitted for addressing and billing purposes and perhaps sometimes for corporate data-mining purposes as well. In the case of telephone communications, they run (or ran) in a dedicated communications channel called Signalling System 7, which is specifically targetted by SIGINT agencies. If at least one end of the associated communication is in Canada, then it is a pretty safe bet that in a large percentage of cases at least one recipient of the metadata communication also resides in Canada. Why are these communications of metadata not "private communications"? Is it possible that these communications are being obtained with the express or implied (say, through regulatory fiat) permission of the telecommunications companies, and thus that no additional legal authority is required?

Forcese:

In 2005, CSEC’s review body, the commissioner of CSEC, suggested that there were some collection activities undertaken under Mandate A that should have been undertaken under Mandate C. Mandate C – assistance to law enforcement and domestic security intelligence agencies – depends on these bodies being themselves authorized to collect information. In practice, that typically would mean a warrant under the Criminal Code or the CSIS Act.

What we don’t know is what exactly CSEC did under Mandate A that should have been done (in the commissioner’s eyes) under Mandate C. One suspects that if the Commissioner concluded that Mandate A was inapplicable, this was not about collection of foreign intelligence.

This is a very interesting case. Forcese is certainly correct that we don't know exactly what CSE was doing in this instance. One possibility, however, is that CSIS and the RCMP were providing the names and contact information ("selectors") of Canadians/persons in Canada that they were investigating to CSE and asking CSE to map out the foreign contacts of these individuals extending one or two hops out (i.e., including the foreigners with whom the foreign contacts were themselves in contact). Insofar as such communications would be either cross-border or entirely foreign, the argument could be made that they were foreign-intelligence-related, and thus were appropriately a mandate (a) activity. However, insofar as such a network would in fact be centred on a Canadian/person in Canada and the analysis would have been undertaken in order to provide information relevant to investigation of a subject in Canada, it could be argued at least as compellingly that such information is not "foreign intelligence" but intelligence related to Canadians/persons in Canada.

Whatever the real facts of the dispute may be, CSE revised its procedures related to such activities "significantly" in 2008, and a subsequent review by the CSE Commissioner of activities conducted after the changes were made agreed that they were now appropriately authorized under mandate (a) (see PDF page 18 of these documents):

The [redacted] conducted by CSEC during the period under review were appropriately authorized under part (a) of CSEC’s mandate. With the significant changes made to these activities as described in the background section of the report and as summarized on the next page, the Commissioner has no questions like those raised in previous reviews as to whether such activities would be more appropriately authorized under part (c) of CSEC’s mandate. The new processes put in place and followed by CSEC for the activities conducted during the period of review are assessed as consistent with part (a) of CSEC’s mandate.

It is perhaps reassuring that this particular dispute between the CSE Commissioner and CSE is now apparently resolved.

But there is something I find disturbing about these documents. In the end, the CSE Commissioner never expresses an official judgement on the appropriateness (and thus the legality) of CSE's approach to these activities prior to the 2008 changes.

We are left with the distinct impression that the Commissioner's office remains of the view that the pre-2008 activities were not appropriately authorized under mandate (a), but the issue is dropped.

Is this how our watchdog works? No judgement of legality is made for years because the government disputes the Commissioner's view, and then the issue is dropped because CSE stops doing things in the way that caused the concern in the first place?

How many other times has CSE broken the law in the view of Commissioners and then escaped being held accountable because the activities in question were subsequently modified or halted?